Talking Cybersecurity like strategy discussion for Rock-Paper-Scissors

2000px-Rock-paper-scissors.svg-wikipedia  From Wikipedia.

 

The problem is, Cybersecurity seems easy to those of us in the Security field (just like the above game) but yet the strategy is hard when we try to explain to an Executive immersed in their regular world. Cyberstrategy is also not so cut and dried.

The hackers are attacking old vulnerabilities because people are not patching their computers.

Yet, even if a user patches a computer and they click on a phishing email the computer is still hacked.

So what happens when a password is guessed or stolen from a breached website, where the user entered the password and was reused?  Now the hacker can access the network with your credentials.

 

If the hacker can access your network logon with your credentials that’s like winning every time at rock paper scissors, since you can see the response before you place your hand gesture.

 

Then on top of all that – what about Zero-day attacks? or Forever day attacks – where the hacker can hack forever on a particular platform until the problem is solved (assuming it can be).

 

No wonder a lot of people are tuning us security folks out for the most part:

 

advancedstrategiesfordefending

 

The Cisco VP and Chief architect Martin Roesch: http://www.rsaconference.com/media/advanced-strategies-for-defending-against-a-new-breed-of-attacks

 

From the image:

Even the basics are not covered

Less than half of security practitioners leverage critical security tools

Security Administration and provisioning  43%

patching and configuration     38%

pentesting        29%

Quarantine malicious apps 55%

 

 

Secops is not just selling new devices from Cisco, it is just doing the basics, doing the patching, creating good password training, training for security is a difficulty of attention and focus.

Everyone wants to do their regular projects not security projects. People do not want to remember difficult passwords, or change passwords every 60 days.

Us in security have to be cognizant of the “regular” world.

We have to do the basics, because although we won’t be 100% secure (which can’t be done) we can make things better and much harder for the hacker – which is what a good cybersecurity program should do.

 

The key of course is to have the personnel which has the ability to make the decisions even when everything is going on – focus and commitment. communicating this is just as important as well.

 

advancedstrategiesdefendingbreedofattacks

How-To Hack Wifi: Testing Defenses

Hacking Wifi is useful since we want to test our defenses, to make sure we have a certain level of defense set up.

Aircrak-ng is used to crack the Wifi encryption that is available on Kali Linux Operating system (the operating system built for pentesters/ethical hackers)

aircracksnippet

As in this tutorial by WonderHowTo there is a few steps one has to perform before capturing data from the targeted Wifi Access point.

 

First one has to set up a Wifi card that is accessible by airodump-ng for the aircrank-ng process attempt to crack the WEP or WPA password key of the Access point to be tested.

Aircrack-ng is the primary application with the aircrack-ng suite, which is used for password cracking. It’s capable of using statistical techniques to crack WEP and dictionary cracks for WPA and WPA2 after capturing the WPA handshake.”

One then accumulates a certain level of data before trying to crack the code.

There are several other tools in the Aircrack-ng toolset:

 

Aireplay-ng – it can generate or accelerate traffic on the Access point, potentiall run WEP and WPA2 password attacks as well as ARP injection.

Airdecap-ng – decrypt wireless traffic once the key is cracked

Airtun-ng – virtual tunnel interface creator

Airolib-ng – stores or manages ESSIDs to help crack the password cracking.

Airbase-ng can make the laptop/computer into an Access point.

The reason one wants to spend time testing defenses is that Wifi tends to be set up and then forgotten, and if it was set up incorrectly then it should be fixed.

We  at Fixvirus.com have a WifiService: Psi service

just the router

An old Wifi Linksys router

Hydra Tool Can Crack Your Online Passwords

Here is a website link that discusses Hydra trying to crack online passwords at websites:

http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html

The tool can attack (and iterate)  through a set amount of dictionary passwords to ssh and ftp server accounts very easily (without any extra configuration)

If there are website forms that have usernames and passwords (like WordPress or Joomla or other CMS(Content Management Systems)

 

There is a better web blog explaining what Hydra does and a successful sample attack:

http://cs337-unyunizer.blogspot.com/

hydrasnippetfromattack

The snippet is from the cs337-unyunizer.blogspot.com webpage

All the white responses are the attempts at hacking, while the green text response was the successful attack with the correct password.

 

So this tool makes finding a password easy to set up, the hard part of course is finding a good dictionary list of words to attack the username password  (this is also called brute-force password attack)

 

Interesting to note, but if CAPTCHA is implemented well, this method will not work at all.

So let’s say one is a criminal hacker, the key is to find a good password file (from known passwords on the internet) there are likely files out there which allow the criminal to amass a decent password file, which would allow you to attack sites with this password dictionary file. Or one can generate a fgile on their own.

 

A good Google search can start the hacker on the way to building this file.

http://security.stackexchange.com/questions/1376/where-can-i-find-good-dictionaries-for-dictionary-attacks  is an example. of a link.

There is a list of password dictionaries at this site https://wiki.skullsecurity.org/Passwords . There are some lists that were used by the Conficker worm to spread.

As well as some leaked passwords (like from Sony etc. that have been compiled here.

So you can see it is a relatively straight forward method to try and go after online websites that have username and passwords.

Why am I saying this?  Because we ahve to become better at making passwords, change your passwords, make them longer and use less known words combinations with numbers and special characters. And the longer the better, to the tune of 10-20 letters.

 

Check this xkcd comic:  http://xkcd.com/936/  Tries to show pictorally that it is better to run together several words rather than using difficult combinations that cannot be remembered.

 

How Dangerous is SQL Injection?

A good tutorial of basic SQL injection (without a tool):

http://www.kalitutorials.net/2014/03/sql-injection-how-it-works.html

manualsqlinjection

Notice the bottom entryuser-id field: ‘ OR 1= 1; /*

and in password field: */–

As it states in the image (from the kalitutorials website) the second statement gives you access to data of all accounts.

 

Why is this? because a 1=1 statement  is “true” and we also have to enter something in the password field.

If the SQL data entry process (or function) does not dismiss this potential entry then there is a possibility that the SQL database response will be with all data or at least all data for the way the SQL function is calling in a specific table.

 

As the website mentions this is basically what the tools are performing in an automated manner, maybe with some variations in entries.

 

Another interesting bit of information are Dorks  (an input query into a search engine(Google for example) which attempt to find websites with certain text included:  inurl:”buy.php?category=”   for example.

dorksearchquery

 

Notice the response UNION ALL SELECT null,null in the search

 

this is how your website can be “found out” by criminal hackers, as they try to find victims of their attacks.

And slowly but surely  they then try to perform more sophisticated attacks using sqlmap and more

http://www.kalitutorials.net/2014/03/hacking-website-with-sqlmap-in-kali.html

With sqlmap you can test the url to inject with a command like

sqlmap -u <URL to inject>

As the hacker starts to map all your data they will get more and more  info that is not really for public consumption (or so it was thought).

 

 

It is not a good idea to give out too much information without knowing any circumstances. As an ethical hacker one needs to have permission to attempt to crack(or hack) a database interface. And if it is giving out too much information then one has to mitigate this situation.

At this point I will leave more sqlmap hacking for a specific pentest situation.

Contact Us to discuss further details.

Training the Next Cybersecurity Professionals

http://www.darkreading.com/operations/educating-the-cyberwarriors-of-the-future/a/d-id/1319590

 

Jeff Shilling opines that we need more experienced people in the Cybersecurity field. As usual the issue is senior-level execs do not fully understand all the ramification differences with

1.  a person with 5+ years experience in IT plus Cyber Security Knowledge   (no university degree)some certifications

or

2. a person with 2 years experience and has all the cyber Security certifications. (plus university degree)

 

His assertion is that the experience trumps the formal education, in fact with someone that came out of college with a degree, usually has 4 years working at the degree, so you add 1 or 2 years in the working world it does seem that a college degree (even in computer science or an engineering degree)  would not give the same outlook on a cyber security job than someone with 5 years in the working world without a 4 year college degree.

 

I think he misses the point that we need someone with experience(2-5 years or more), and a college degree, since the difficulties in today’s cyber security field will not become simpler.

 

There is nothing like being placed in a situation that was not in the books, was not taught by the college instructors, and the person has to figure it out on the job as it comes.

 

certified-ethical-hacker-LogoA Certified ethical Hacker has to have at least 4 years of security experience or have 3 years of security experience plus a college degree.  So the college degree is worth 1 year of experience not 3 or 4.

Another aspect is Cyber Security training for all users:

http://garyleemillner.com/information-security-awareness-or-cybersecurity-training/#sthash.ZZD0J8Vf.dpbs

security-awareness-training  (from garyleemillner.com)

Most people do not understand cyber Security and have had no training.

That makes sense, this is why we have this big problem of phishing and malware downloading. the general understanding of Cyber Security is horrible. Thsi is also why senior execs have such a low understanding of the true problem at hand.

 

Oversitesentry.com and fixvirus.com is trying to change that.  Little by little we are trying to help.